An ongoing malvertising campaign tracked as “Tag Barnakle” is now targeting mobile users, a researcher finds.
A security researcher Eliya Stein of Confiant estimated that Tag Barnakle has been linked to over 120 breaches of ad servers over the past year.
In this malvertising campaign, attackers inject malicious code into ad servers with the goal of serving fake ads that redirect users to rogue websites to target them with scams and malware.
Unlike other operators who try to buy space on legitimate websites for running the malicious ads, Tag Barnakle can “bypass this initial hurdle completely by going straight for the jugular — mass compromise of ad serving infrastructure,” said Stein in a Monday post.
In April 2020, Confiant reported that the Tag Barnakle actors have compromised nearly 60 ad servers, most of the infections happened to an open-source advertising server Revive.
In the latest round of attacks, the campaign operators have upgraded their tools to target mobile devices as well, the researcher believes.
“Tag Barnakle is now pushing mobile targeted campaigns, whereas last year they were happy to take on desktop traffic,” Stein said.
Since Revive is used by a big number of platforms and media companies, Confiant estimates Tag Barnakle has hit “tens if not hundreds of millions of devices.”
“This is a conservative estimate that takes into consideration the fact that they cookie their victims in order to reveal the payload with low frequency, likely to slow down detection of their presence,” Stein said.